I am working on a series of posts related to the Center for Internet Security (CIS) Critical Security Controls (CSCs). See the full listing here.

Establish, implement, and actively manage (track, report on, correct) the security configuration of mobile devices, laptops, servers, and workstations using a rigorous configuration management and change control process in order to prevent attackers from exploiting vulnerable services and settings.

This control includes five (5) sub controls. For those of you reviewing the CIS Controls with the Implementation Groups in mind, there is one (1) IG1 control and five (5) IG2 controls. This means that, at a minimum, we want to:

The biggest hang-up I see in this control is the scope of this control. Many folks think of the major systems (Servers, workstations, firewalls, etc.) and the most common software (e.g. MS Office). The bold font added above is my own addition, and it is to call out the fact that this control is applying to virtually every piece of hardware and software in your environment. There is hope here – you don’t actually have to maintain a granular security guide for every single piece of hardware or software!

You should perform an initial analysis to determine if a particular asset:

Has the ability to manage the configuration

Warrants the additional oversight

If you answer “no” to either of these items – you are likely better off documenting a list of systems and software that you’re accepting the risk of not managing at a granular level. This list should be maintained – meaning you can’t toss an asset on here and forget about it. You should be periodically reviewing the list and seeing if the situation has changed. An example is an off-the-shelf software you use, that does not access any sensitive information – you can’t do much here, so track that as an asset you will not maintain a detailed configuration guide for.

The last item to keep in mind is usability and taking a realistic approach to configuration. The DISA STIGs and CIS Benchmarks are excellent guides to securing hardware and software – but chances are not all of your systems need to match these configurations 100%. At the end of the day, document your thought process on why assets do/do not have a configuration guide. Within those guides, settings should be chosen with a purpose – do not haphazardly pick and choose items to enforce.

In lieu of screenshots for this control, I thought this video does a good job demonstrating the use of CIS-CAT to validate a system’s configuration: